topic Re: Case Statement Issue in Splunk Search

Case Statement Issue

Bbyers3 — Wed, 30 Sep 2020 03:48:13 GMT

I'm Having issues with my case statement.

index=sti_123 source=rss_servers active = "1" status = "Being Commissioned"

| eval Timenow=now()
| eval days_since_provisioned = Timenow - date_provisioned
| eval bucket = case(days_since_provisioned <=179, "Less Than 180", days_since_provisioned <= 210, "180-210", days_sinced_provisioned >= 210, "Greater Than 210")
| chart count by bucket

I believe it is the bucket case statement that is the issue, because I remove the "By bucket" and it gives me the correct total, but I just need to be able to say X server has been in this stage for A B or C length

Re: Case Statement Issue

jimodonald — Thu, 23 Jan 2020 20:16:26 GMT

"bucket" is a search command and could be skewing your results. try renaming your "bucket" to "mybucket" and see if that helps.

Re: Case Statement Issue

jpolvino — Wed, 30 Sep 2020 03:48:21 GMT

This, and also please check your case statement because you have one field named days_sinced_provisioned in there.

A best practice here is to have a pair at the end:
1==1,"Other"

This will help you identify cases where you have a logic hole, or maybe events that don't have a time value, and therefore won't participate in your counts.

Re: Case Statement Issue

13tsavage — Wed, 30 Sep 2020 03:48:28 GMT

Try this:

| eval Timenow=now()
| convert timeformat="%Y/%m/%d" mktime(_time) as date_provisioned
| eval days_since_provisioned=Timenow-floor(date_provisioned)
| eval bucket=case(days_since_provisioned<=179, "Less Than 180", days_since_provisioned<=210, "180-210", days_sinced_provisioned>=210, "Greater Than 210")
| chart count by bucket

I do not think you had your date_provisioned field is configured in your last search so that screwed up your days_since_provisioned eval.

I created a date_provisioned field using the convert timeformat=... mktime(_time) as date_provisioned. Then added in the rest of your search with some minor tweaks.

Hope this helps!